NightClub
NightClub is a modular malware framework/backdoor used by the cyberespionage group MoustachedBouncer since at least 2014. ESET reported that MoustachedBouncer has targeted foreign embassies in Belarus and assessed with medium confidence that the group is aligned with Belarusian interests. NightClub uses email protocols for command and control, specifically SMTP and IMAP, and can also use SMTP and DNS for file exfiltration and C2. Reported NightClub capabilities include monitoring removable drives, enumerating the active window via GetForegroundWindow, screen capture through a module using CreateCompatibleDC and GdipSaveImageToStream, and audio capture through a module leveraging the LAME encoder and mciSendStringW. It has copied captured files and keystrokes to the %TEMP% directory of compromised hosts.
For persistence and defense evasion, NightClub has modified the Registry to set the ServiceDLL for a created service and has created a service named WmdmPmSp to spoof a Windows Media service. It can also modify the creation, access, and write timestamps of malicious DLLs to match those of the legitimate Windows DLL user32.dll. NightClub has used legitimate-looking filenames, including EsetUpdate-0117583943.exe for a dropper. ESET reported that a 2014 NightClub dropper wrote a DLL to %SystemRoot%\System32\creh.dll and persisted via the WmdmPmSp service. A 2017 version used plugins stored as DLLs under %APPDATA%\NvmFilter\ with a single export named Starts. Versions observed in 2020-2022 used an external JSON configuration file at %APPDATA%\Microsoft\def\Gfr45.cfg, an orchestrator named svhvost.exe, a module agent named schvost.exe, and persistence via a service named vAwast; plugin DLLs were disguised with a .ini extension. NightClub also included a DNS-tunneling backdoor plugin, ParametersParserer.dll, which exchanged commands and exfiltrated data via DNS TXT records using modified base64 encoding and domains ending in 11.1.1.cid and 12.1.1.cid. Reported exfiltration accounts included attacker-controlled Seznam.cz accounts in 2014 and Mail.ru accounts in 2017.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Since 2014, the group has been operating a malware framework that we have named NightClub. It uses the SMTP and IMAP (email) protocols for C&C communications.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesPersistence
4 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Catchamas creates three Registry keys to establish persistence by adding a Windows Service; TEARDROP modified the Registry to create a Windows service for itself; NightClub set the ServiceDLL for a service created by the malware.
InvisiMole can collect data from the system, and can monitor changes in specified directories. NightClub can use a file monitor to steal specific files from targeted systems.
Agent Tesla can achieve persistence by modifying Registry key entries. Attor's dispatcher can modify the Run registry key. Kimsuky has also modified the registry entry for HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key for persistence with the name WindowsSecurityCheck. PLAINTEE uses reg add to add a Registry Run key for persistence.
Privilege Escalation
3 techniquesCatchamas creates three Registry keys to establish persistence by adding a Windows Service; TEARDROP modified the Registry to create a Windows service for itself; NightClub set the ServiceDLL for a service created by the malware.
InvisiMole can collect data from the system, and can monitor changes in specified directories. NightClub can use a file monitor to steal specific files from targeted systems.
Agent Tesla can achieve persistence by modifying Registry key entries. Attor's dispatcher can modify the Run registry key. Kimsuky has also modified the registry entry for HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key for persistence with the name WindowsSecurityCheck. PLAINTEE uses reg add to add a Registry Run key for persistence.
Stealth
6 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Defense Impairment
1 techniqueCredential Access
1 techniqueDiscovery
4 techniquesMultiple malware families are described as identifying/enumerating open windows or capturing foreground window titles (e.g., via EnumWindows, GetForegroundWindow, GetWindowText) to understand user activity and provide context for keylogging/screencapture.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
BADNEWS crawls the victim's local drives and collects documents with selected extensions; Machete searches the file system for files of interest; Rover searches for files on local drives based on a predefined list of file extensions.
The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.
Collection
6 techniquesThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Command and Control
4 techniquesExfiltration
2 techniquesADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels... CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader... Kevin can send data from the victim host through a DNS C2 channel... NightClub can use SMTP and DNS for file exfiltration and C2.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware that aligns malicious DLL timestamps with legitimate Windows DLLs for stealth.
Modular C++ espionage implant framework used for embassy targeting. Uses email (SMTP/IMAP) for C2 and exfiltration, supports plugin delivery (e.g., keylogger, screenshotter, audio recorder, file monitor/stealer), and includes a DNS-tunneling backdoor module in later versions. Persists via Windows services and uses encrypted/externally stored configuration in newer variants.
Backdoor that loads a module using LAME encoder and mciSendStringW to control and capture audio.
Backdoor malware that monitors removable drives.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.